Why does Private.Ki need JavaScript

You might wonder why JavaScript is required to use Private.Ki (especially if you’re privacy-conscious and normally disable JS).

Unlike some simple websites that only display static content, Private.Ki is a web application that performs complex tasks in your browser – most importantly, end-to-end encryption of your emails and chats. Here’s an explanation of why JavaScript is essential for Private.Ki’s security and functionality:

Client-Side Encryption/Decryption: Private.Ki follows a zero-access security model, meaning encryption and decryption of your messages happen on your device, not on our servers. In a web browser environment, the only way to perform those cryptographic operations (generate keys, encrypt data, decrypt data) is by using JavaScript. The Private.Ki web app includes cryptographic scripts that take your password and derive encryption keys, encrypt your outgoing messages before sending, and decrypt incoming data so you can read it. If JavaScript is disabled, this code can’t run. In short, JavaScript is needed to do the math and mechanics of encryption in your browser.

Authentication: When you log in, JavaScript helps with the authentication process. For example, it handles computing a special version of your password (so the raw password never leaves your browser), and it manages your session securely.

Dynamic User Interface: Private.Ki’s interface is interactive – new messages appear in real time, you can click buttons to reveal content, etc. JavaScript is behind all these dynamic behaviors. For example, when you open an email, JavaScript is what takes the encrypted text and decrypts it and then renders it nicely in the browser. It’s also used for things like sending messages, updating notifications, and so on. Without JS, you would basically have a non-functional interface since none of the buttons or actions would respond.

Security Features: Beyond encryption, certain security features (like generating a pair of keys in your browser during account setup, or verifying digital signatures on incoming messages) are done via JavaScript code. We require JavaScript to guarantee that the encryption works properly and your session is secure.

It’s for security, not tracking: We want to emphasize that Private.Ki’s use of JavaScript is purely for providing the service (especially encryption). We are not running third-party trackers or ads that some users rightfully block with NoScript or similar. All the scripts required for Private.Ki are there to protect your privacy, not invade it. Of course, exercising caution on the web in general is wise, but you can feel comfortable allowing Private.Ki scripts.